[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] Multiple Request Subject elements
Hi Wes, In a sense, a policy, policy set, or rule match subjects. Subjects do not match policies. In a target, each match is a boolean function. At the base level, i.e. within <Subject> element they are combined as a conjunctive sequence (i.e. AND) on the same particular subject in the request context. If one of the subjects matches the whole criteria, then you have a match, and the boolean is effectively true. Being the the <Subject> element forms a boolean predicate itself, the <Subjects> element forms a boolean function as a disjunctive sequence (i.e. OR) of <Subject> predicates. How do you think this would lead to problems with security. Which problems? -Polar On Mon, 16 Dec 2002, Wes Kubo wrote: > >From reading the spec I'm unclear as to whether every Subject (if more than > one is specified) in the request must have a match in the policy (Target or > Rule/Target) for the Target to be applicable in terms of the Subject. It was > my gut feeling that the answer is yes, but looking at test IIB028 would lead > my to believe otherwise. It seems to me that this could lead to problems > with security. Can anyone shed some light on this issue? > > Thanks for your time. > > Wes > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC